Anonymous hackers - how dey do dat? - Page 3

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View

Re: Anonymous hackers - how dey do dat?

RayLopez99 wrote:
Quoted text here. Click to load it

You might want to investigate heap spray techniques as well. Sometimes,
the attacked vulnerable program does indeed fall over, but the attacker
has enough control to corrupt the heap (in multiple places, and with NOP
sleds) so that another program *might* run the code that was sprayed there.

Re: Anonymous hackers - how dey do dat?


Quoted text here. Click to load it

Why doesn't Windows have a sort of sandbox, so if a program crashes,
everything in that memory space is erased (zeroed)?  That would make
sense.  Don't see why NOP (no operation?) should work in a crashed
program.

RL

Re: Anonymous hackers - how dey do dat?

RayLopez99 wrote:
Quoted text here. Click to load it

Another program running along might eventually hit the code that
corrupted their memory space and run it, but it would have to hit that
code right at its starting point. If you lead in to the starting point
with NOPs it provides a bigger surface and a greater likelihood that the
program flow (when it is its turn to run) steps into the corrupted area.
The NOPs act like a sled sliding the execution path right up into the
malicious code's starting point. While the NOP doesn't actually do
anything, the instruction pointer will still be incremented.

Re: Anonymous hackers - how dey do dat?

"FromTheRafters" wrote:

Quoted text here. Click to load it

That's not correct. Each program has its own isolated memory space
even if it's the whole of memory. That's why it's called virtual
memory. Only the kernel has access to physical memory (in theory!)

Heap spraying in one program's address space can't corrupt memory
used by others.



Re: Anonymous hackers - how dey do dat?

Ant wrote:
Quoted text here. Click to load it

I stand corrected.

I was trying to point out that execution of the malicious code's payload
is not guaranteed - sometimes just a DoS and sometimes more.


Re: Anonymous hackers - how dey do dat?

On Wed, 15 Dec 2010 21:12:25 -0500, FromTheRafters wrote:

Quoted text here. Click to load it

Nope.
--
"When the Sicilians put out a contract, it's usually limited to the
continental United States, or maybe Canada or Mexico. But with the
Corsicans, it's international. They'll go anywhere. There's an old
Corsican proverb: 'If you want revenge and you act within 20 years,
you're acting in haste.' " ~Lou Conein

Re: Anonymous hackers - how dey do dat?

Ari Silverstein wrote:
Quoted text here. Click to load it

You are correct, I miswrote. :o(

My point was that the overflow does not *always* cause an immediate
result, nor does it guarantee a particular result.

Re: Anonymous hackers - how dey do dat?

On Thu, 16 Dec 2010 12:52:55 -0500, FromTheRafters wrote:

Quoted text here. Click to load it

Yep.
--
If you really must fellate me,
Though the thought appalls;
Remember work the shaft
And cup the balls.
http://tr.im/1f71

Re: Anonymous hackers - how dey do dat?


Quoted text here. Click to load it

no! That's a lazy (imo) programmer; you can't blame the compiler if you
took shortcuts and didn't write code checks and a decent error handler.


--
Hackers are generally only very weakly motivated by conventional rewards
such as social approval or money. They tend to be attracted by
challenges and excited by interesting toys, and to judge the interest of
work or other activities in terms of the challenges offered and the toys
they get to play with.

Re: Anonymous hackers - how dey do dat?


Quoted text here. Click to load it

Well perhaps you are correct, as by definition a run-time error like
overrunning a buffer will not be caught by the compiler.  But of
interest is the claim in this thread that even though a program
infected (or attacked) will crash, the vector (virus) program will
continue in memory--that was news to me.  Further explanation is
requested--don't see how that can be possible--I would think Windows
would have a protected memory space and if a program crashes
everything in that space is zeroed out, but I guess such sandboxing is
not done by Windows.

RL

Re: Anonymous hackers - how dey do dat?



Quoted text here. Click to load it



| Well perhaps you are correct, as by definition a run-time error like
| overrunning a buffer will not be caught by the compiler.  But of
| interest is the claim in this thread that even though a program
| infected (or attacked) will crash, the vector (virus) program will
| continue in memory--that was news to me.  Further explanation is
| requested--don't see how that can be possible--I would think Windows
| would have a protected memory space and if a program crashes
| everything in that space is zeroed out, but I guess such sandboxing is
| not done by Windows.

Exploitation is not done by trojans or viruses, per se, except is the form of
Internet
worms such as the Lovsan/Blaster and Sasser (some don't even consider worms to
be true
viruses).

It could be in the form of; a PDF, a graphics file associated with GDI, a MS
Office
document, how QuickTime processes Real Time Streaming Protocol (RTSP), yada,
yada....

It is the successful exploitation of the buffer overflow condition that causes
the
subsequent infection and that can occur even if the end-user is using a Limited
User
Account (LUA).

--
Dave
Multi-AV Scanning Tool - http://www.pctipp.ch/downloads/dl/35905.asp



Re: Anonymous hackers - how dey do dat?


Quoted text here. Click to load it

Depending on how you achieve the buffer overflow; you're intended
instructions *may* get executed. It's not a guarantee. Google likely has
many user friendly explanations for a buffer overflow situation. I'd
recommend reading one or two articles and come back if you have specific
questions on it. They are runtime errors; thanks to (imo) poorly written
code. IE: lacking a string check to ensure the data your fixing to put in
the buffer will fit.


--
Hackers are generally only very weakly motivated by conventional rewards
such as social approval or money. They tend to be attracted by
challenges and excited by interesting toys, and to judge the interest of
work or other activities in terms of the challenges offered and the toys
they get to play with.

Re: Anonymous hackers - how dey do dat?

"RayLopez99" wrote:

Quoted text here. Click to load it

I should have been clearer - the malware can't continue in the memory
space of the program it overflowed after it has crashed. The program
won't crash until the malware has done its dirty work because in
effect, the injected code has become part of that program. While the
malware is running, the original program code is not. The program will
probably crash if the injected code hands control back to it.

Sometimes the malicious code will terminate the original program
anyway by calling, say, ExitProcess. I've seen this with infected
PDFs, where the shellcode first drops and runs the payload, drops a
clean PDF, but before killing the PDF reader, starts a new instance
of it to display the clean file. The user may not notice anything is
amiss.



Re: Anonymous hackers - how dey do dat?

Quoted text here. Click to load it

You sound knowledgeable.  Or you're a good faker.  In either event,
what language would this virus stuff be running at, what API?  Is this
some Javascript, or something unique to Adobe's API (whatever language
they use, probably Java or some variant), or is this virus stuff based
on the Windows API that back in the days I played around with in the
MFC, or all of the above or something else?  Perhaps this virus stuff
is done in assembly language, or IL pseudocode for .NET that is
injected in with the good code?  It's all very confusing how such
apparently piggybacking is done, especially since at least with .NET
all assemblies are cryptographically signed so you cannot introduce (I
think) bogus or extraneous executables with your package.

RL

Re: Anonymous hackers - how dey do dat?

"RayLopez99" wrote:

Quoted text here. Click to load it


If you don't believe me, do your own research. You're supposedly a
programmer, so this stuff shouldn't be hard for you to grasp.

Quoted text here. Click to load it

Yes, you obviously are confused. Here we are talking about code
injection by means of a buffer overflow or other vulnerability, not
viruses or other malware payloads it may deliver. That code must
already be in the form of binary machine instructions and to do
anything useful like download, create and execute a file must call
either the Win32/64 API, the native API on which it is built, or set
up its own call-gate sequence into the kernel which ultimately
controls such operations. Typically, the code finds exported functions
in kernel32.dll and calls them.

There is no piggybacking as such; it's all about diverting the flow
of execution to the malicious code injected into the process under
attack. It doesn't matter what language was used to write the host
process because it all boils down to machine code and once the CPU's
instruction pointer has been diverted to the injected code, the
original process is no longer in control. One thing that can guard
against these kind of attacks is data execution prevention (DEP)
where areas of memory not meant to contain code are prevented from
executing instructions.

The PDF example I gave used ActionScript (Adobe's javascript) to
allocate huge blocks of memory and write copies of the binary code
(commonly called shellcode), prefixed with a massive NOP sled, into
them. It then called a buggy Adobe function with specially crafted
parameters to trigger the exploit. The idea is that the vulnerability
being exploited will corrupt the address value in the instruction
pointer which would normally make the program crash (it's pointing at
data or is invalid) but because so much memory has been allocated and
filled with code, that address now becomes valid and is pointing
somewhere in the NOP sled. The CPU then continues executing NOPs until
it reaches the malicious code.

If you want examples of how these attacks are constructed see the
Metasploit project.



Re: Anonymous hackers - how dey do dat?

Quoted text here. Click to load it

No, this stuff is harder than it sounds.

Quoted text here. Click to load it

But how does it get there?  That's the question.  Simple example:  I
have malware, I pretend it's something good and ask the end user to
install it on their machine.  End user complies.  The malware installs
itself with the user's permission.  The user clicks on the malware
icon.  Malware launches.  Malware reformats user's hard drive.  That's
straightforward.  But what this thread is about is a user using their
browser and/or giving permission to a hacker group to try and
penetrate their machine, and without doing more, the machine being
taken over by a virus/bot/vector/something bad.  How dey do dat?


From the (Metasploit) Megasploit entry for Wikipedia, which you
thoughtfully provided:

http://en.wikipedia.org/wiki/Metasploit_Project

The basic steps for exploiting a system using the Framework include -
Choosing and configuring an exploit (code that enters a target system
by taking advantage of one of its bugs; about 300 different exploits
for Windows, Unix/Linux and Mac OS X systems are included);
Checking whether the intended target system is susceptible to the
chosen exploit (optional);
Choosing and configuring a payload (code that will be executed on the
target system upon successful entry, for instance a remote shell or a
VNC server);
Choosing the encoding technique to encode the payload so that the
intrusion-prevention system (IPS) will not catch the encoded payload;
Executing the exploit.
This modularity of allowing to combine any exploit with any payload is
the major advantage of the Framework: it facilitates the tasks of
attackers, exploit writers, and payload writers.

Notice the step "Choosing the encoding technique"--that's important.
Exploiting bugs is also interesting "about 300".

Quoted text here. Click to load it

OK, DEP, Johnny DEP.  Learned something new.

Quoted text here. Click to load it

Do you think Adobe's javascript is less secure than Microsoft's
Silverlight, which is a .NET platform?  I would like to think so.
Like I say, .NET cryptographically signs all assemblies.

Quoted text here. Click to load it

Thanks, about Metasploit.

RL

Re: Anonymous hackers - how dey do dat?

"RayLopez99" wrote:

Quoted text here. Click to load it


I just said (see above) - "by means of a buffer overflow or other
vulnerability". To be more specific; the user visits a web page
containing media (PDF, SWF, ASF, MOV, etc.) which is designed to
exploit vulnerabilities in the viewer software. These media types are
not always static "documents" but often contain scripts.

Quoted text here. Click to load it

Thet's "social engineering".

Quoted text here. Click to load it

This subthread is about automatic execution of malicious code which
the user didn't expect, caused by bugs, not about being tricked into
installing and running something. Your original question has been
answered and was based on what a computer ignorant journalist said.
Please review the thread.

Quoted text here. Click to load it

Just like you provided the CNN link.

Quoted text here. Click to load it


What about it? Do you understand what it means?

Quoted text here. Click to load it

I saw nothing that made it wrong...

Quoted text here. Click to load it

...That's how it works.

Quoted text here. Click to load it


It's nothing to do with the script security but the vulnerable
functions/components the script calls.

Quoted text here. Click to load it

So what?



Re: Anonymous hackers - how dey do dat?

On Fri, 17 Dec 2010 16:59:44 -0000, Ant wrote:

Quoted text here. Click to load it

Uh, "ant" you do realize you are being TROLLED. It's your time waste
it if you want with this gabardine dick stroker.

Re: Anonymous hackers - how dey do dat?


| Uh, "ant" you do realize you are being TROLLED. It's your time waste
| it if you want with this gabardine dick stroker.

He's not being trolled.

Ray is "thick" as a brick and can't overcome his own thought processes.

--
Dave
Multi-AV Scanning Tool - http://www.pctipp.ch/downloads/dl/35905.asp



Re: Anonymous hackers - how dey do dat?

wrote:
Quoted text here. Click to load it

You're dumb as shit.

Quoted text here. Click to load it

Still promoting that malware you wrote?  Get over it.

RL

Site Timeline